WatchGuard Fireware Migration Guide ® WatchGuard Fireware v8.0 WatchGuard System Manager v8.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Contents CHAPTER 1 Introducing WatchGuard System Manager with Fireware Pro .1 What is Fireware Pro? ...........................................................................1 Using Fireware appliance software tools ..................................................2 What’s New with WatchGuard System Manager? .....................................2 Enhancements to WFS appliance software ...............................................3 WatchGuard Servers ....................................................
CHAPTER 3 Putting Fireware on the Firebox ...........................................23 Using the Quick Setup Wizard .............................................................23 Connecting to the Firebox ...................................................................31 Using fbxinstall.exe ............................................................................33 Restoring a Backup Image ..................................................................33 Upgrading to Fireware Pro ..............
What is Fireware Pro? CHAPTER 1 Introducing WatchGuard System Manager with Fireware Pro WatchGuard® System Manager (WSM) v8.0 is an important software release for WatchGuard customers. This release introduces our next-generation, Fireware™ Pro appliance software. It also enhances the current WSM management software. With WSM v8.0, you can manage Firebox® X Edge, Firebox X Core, and Firebox X Peak devices at the same time from the same management station.
What’s New with WatchGuard System Manager? Using Fireware appliance software tools When you install WatchGuard System Manager, it automatically installs the software tools you must have to configure and manage a Firebox X Core or Firebox X Peak with Fireware Pro appliance software. These include: • Fireware Firebox Manager • Fireware Policy Manager • Fireware HostWatch When you add an device to the WatchGuard System Manager Devices tab, the system identifies which appliance software the Firebox uses.
What’s New with WatchGuard System Manager? • • • • • • • Interface independence Signature-based intrusion prevention with stateful signature matching Multi-WAN for more flexibility and network connection time Dynamic routing of these protocols: BGP, OSPF, RIPv1 & v2 Quality of Service (QoS) which uses “virtual pipes” to route the traffic to align with your business requirements Active Directory and LDAP integration Application Server Load Sharing and enhanced policy management interface for advanced contr
Comparing WFS and Fireware Pro • Centralized management of VPN tunnel configurations • Certificate authority for distributing certificates for IPSec tunnels Log Server The Log Server collects log messages, event messages, alarms, and diagnostic messages from one or more Firebox devices. The log messages are now kept in an *.xml format. This allows you to use third-party XML tools to create your own custom reports. The Log Server was formerly known as the WatchGuard Security Event Processor (WSEP).
Comparing WFS and Fireware Pro Feature or FunctionalA rea H igh Availability A pplication Layer Filtering C om plete Ease of U se Like W FS N otes D ynam ic R outing Yes No N /A Basically sam e U Ias in Vclass. W e intend to m ake this userfriendly in a future release.
Comparing WFS and Fireware Pro Feature or FunctionalA rea C om plete Ease of U se Like W FS N otes A uthentication R adius Yes No Alm ost N o U Iintegration w ith the authentication server. D oes not dow nload listofusers and groups. LD A P Yes No N /A N o U Iintegration w ith the authentication server. D oes not dow nload listofusers and groups. A ctive D irectory Yes No N /A • No UI integration with the authentication server. • Does not download list of users and groups.
Comparing WFS and Fireware Pro Feature or FunctionalA rea Management C om plete Ease of U se Like W FS N otes IPSec Passthrough Yes O ff by defau lt Yes • Turned off by default to push people towards using NAT-T which is more stable and scalable solution. • To configure IPSec passthrough, you have to enable the global option, and create an IPSec policy to allow the traffic. IPSec Licensing Yes Yes No N um berofphase-2 SA are licensed.W FS licensed phase-1 SA.
Comparing WFS and Fireware Pro Feature or FunctionalA rea C om plete Ease of U se Like W FS N otes Yes Yes Yes • Only tunnels that are “up” will display in the front panel tree. Yes Yes Im proved You can add sites to the blocked sites list W FS to Firew are Future R elease Yes N /A W illproduce a com prehensive reportofthe configuration conversion and identify any areas thatneed custom er attention. Policy M anager Yes Yes Yes Entirely new forFirew are 8.
Planning Your Migration Feature or FunctionalA rea C om plete Ease of U se Like W FS N otes Supportability A ccess to troubleshooting inform ation (ike.dat,… ) Yes Yes No Im proved useraccess. O n Line H elp No No Yes W e m ay notbe able to ship as com plete ofa help system this tim e due to schedule constraints.
Planning Your Migration 10 WatchGuard System Manager
Documenting Your Security Policy CHAPTER 2 Installing the WatchGuard System Manager software Before you can operate a Firebox with WatchGuard Fireware Pro, you must install the WatchGuard System Manager v8.0 upgrade on your management station. If the Firebox was a DVCP/CA server, you must move the configuration properties to the Management Server.
Installing the management station software Installation requirements Before you install WatchGuard System Manager, make sure that you have these items: • WatchGuard Firebox security device • WatchGuard System Manager CD-ROM • A serial cable (blue) • Three crossover Ethernet cables (red) • Three straight Ethernet cables (green) • Power cable • LiveSecurity service license key It is also good to restart your Firebox before you start the upgrade procedure.
Installing the management station software Saving the configuration file You can save the configuration file of a Firebox on the device itself. You can also save it as a file on a local hard disk drive. Before you migrate, we recommend that you save the configuration file to a local hard disk drive. 1 2 From WFS Policy Manager, select File > Save > As File. Type the name of the configuration file. Click Save. The configuration file has the file extension *.wfg.
Setting Up the Management Server 2 Type the configuration passphrase. Click OK. 3 Select Make backup of current flash image before saving. 4 Type a strong encryption key that is easy to remember. Type it again. 5 Click Continue. The backup image has the file extension *.fbi. Installing the software With WatchGuard System Manager v8.0, you can have more than one management software version on one management station. Make sure you select a different folder name for each installation.
Setting Up the Management Server With WSM 8.0, we move the DVCP off the Firebox and on to a computer using the Windows operating system. This gives increased scalability and flexibility for the network administrator. The Management Server has the same functions as the DVCP/CA server from previous releases of WSM. These functions are: • Centralized management of VPN tunnel configurations • Certificate authority to make and to send out certificates for IPSec tunnels.
Setting Up the Management Server You use the Management Server Setup Wizard to configure your Management Server. If you use a Firebox as a DVCP server, the wizard also moves the DVCP server features and Certificate Authority from the Firebox to your Management Server. 1 From the Windows desktop, double-click the Management Server icon on the WatchGuard toolbar. The Management Server Setup Wizard appears. 2 Select Start Service.
Migrating Basic DVCP Tunnels while setting up a Management Server Migrating Basic DVCP Tunnels while setting up a Management Server WatchGuard System Manager 8.0 provides a wizard that migrates your WFS DVCP server configuration to the new WatchGuard management server. This wizard is called the Management Server Setup Wizard and is launched from the WatchGuard toolbar in the Windows taskbar.
Migrating Basic DVCP Tunnels while setting up a Management Server Viewing the network with WatchGuard System Manager After you complete the Management Server Configuration Wizard, your network can at this time use WSM 8.0. If you had Firebox clients connected to a Firebox DVCP server, those Firebox devices connect to the Management Server. There is a policy on your gateway Firebox to let traffic from your Firebox clients to the Management Server.
Migrating Basic DVCP Tunnels while setting up a Management Server 4 Expand the Management Server entry to see the Firebox clients managed by this Management Server. Upgrade appliance software to WFS 7.4 After you install the WSM management software and WFS 7.4 on the gateway Firebox, you can use WFS Policy Manager to put WFS 7.4 on other Firebox devices. This is an optional procedure. Your Management Server can connect to and manage Firebox devices which use WFS 7.3.
Setting Up the Log Server Setting Up the Log Server You must also use Policy Manager define the Log Servers for each Firebox. For more information, see the user guides in the Documentation folder on your management station. 1 From the WatchGuard toolbar, select the Log Server icon. The WatchGuard Log Server Configuration dialog box appears. 2 Type the encryption key to use for the secure connection between the Firebox and the log hosts.
Setting Up the WebBlocker Server Merging log files from WFS 7.3 and before into the new XML format When you migrate from a previous version of WatchGuard System Manager to WSM 8.0, you can convert log files from .wgl to .xml format. This is also helpful if you operate in a mixed environment with different versions of WSM. After converting, you can use your WSM 8.0 LogViewer or reporting tools on log files created with WatchGuard Management System 7.3 or earlier. When you convert a log file from .wgl to .
Setting Up the WebBlocker Server The first time you connect to the WebBlocker Server, it downloads the WebBlocker database. 1 From the Windows desktop, click the WebBlocker Server icon on the WatchGuard toolbar. The Download WebBlocker Database dialog box appears. 2 Click Download. The file is more than 60 megabytes. The speed of your connection to the Internet controls the time to download the file. 3 22 When the file download is complete, right-click the WebBlocker Server icon.
Putting Fireware on the Firebox CHAPTER 3 Putting Fireware on the Firebox There are two methods to put Fireware on a Firebox which has WFS 7.x: • Use the Quick Setup Wizard to make a simple configuration file and to save the configuration file and Fireware to the Firebox. This is the preferred method. • Use the fbxinstall.exe command line utility Using the Quick Setup Wizard We recommend that you use the Quick Setup Wizard to put Fireware Pro on the Firebox along with a basic configuration file.
Using the Quick Setup Wizard station. Then make the cable connections you select. When you complete the connections, click Next. 3 You can use the Fireware appliance software on a Firebox X Peak or a Firebox X Core. You can not use a Firebox III or Firebox X Edge device. Use the Firebox Model drop-down list to select the model line of your unit. The screen changes to match the selection. Instructions appear on how to start the unit in Safe Mode.
Putting Fireware on the Firebox 5 If your management station has more than one interface, you must select the interface you use to configure the Firebox. Select the correct interface and then click Next. 6 The Quick Setup Wizard looks for a Firebox on the same network as the management station interface. If there is more than one Firebox, you must select the correct Firebox from a list and click Next. When a Firebox is found and selected, a status screen appears.
Using the Quick Setup Wizard 26 7 Type the identifying information for the Firebox 8 Click Next Add the license. Click Next.
Putting Fireware on the Firebox 9 Select Static IP Addressing for this example. Click Next. 10 Type the IP address and default gateway. Click Next.
Using the Quick Setup Wizard 11 Type the tristed interface IP address and the optiona interface address if you use one. Click Next. 12 Type a secondary IP address if there is one. Click Next.
Putting Fireware on the Firebox 13 Type and repeat the passphrases for the Firebox. Click Next. 14 A temporary IP address is listed. Click Next.
Using the Quick Setup Wizard 15 This information screen appears while the wizard configures the Firebox. 16 The process is complete. Click Finish. You are now ready to configure the Firebox.
Putting Fireware on the Firebox Connecting to the Firebox 1 Open WatchGuard System Manager 2 Click the connect to Device icon 3 Type the trusted interface IP address. Click OK.
Using the Quick Setup Wizard 4 Click the Policy Manager icon. 5 The Fireware Policy Manager is where you make the configuration changes that match what you have in your WFS 7.x policy.
Putting Fireware on the Firebox Using fbxinstall.exe You can also use the Fbxinstall.exe utility to install Fireware 8.0. fbxinstall.exe is a command line utility that allows you to: • Upgrade a Firebox X with WFS 7.x firmware and a WFS 7.x configuration to Fireware Pro • Restore an upgraded Firebox from WFS 8.0 back to its original WFS 7.x software and configuration Restoring a Backup Image This process restores a backup image to a Firebox running WFS 8.0.
Using fbxinstall.exe 10 The installation completes. WFS 8.0 is installed. You now create a new configuration file using the Quick Setup wizard.
Making a Fireware Configuration CHAPTER 4 Making a Fireware Configuration At this time, there is no configuration tool which automatically converts a WFS 7.x configuration file to a Fireware Pro configuration. The two appliance software versions are very different. You begin with the configuration file you saved at the end of the Fireware Quick Setup wizard. One method is to quickly make your Fireware configuration file is to open the new Fireware file in one window.
Basic Configuration Properties Basic Configuration Properties Connecting to a Firebox with Fireware Pro 1 From WSM, click the Policy Manager icon. 2 3 This opens an empty Policy Manager. Select File > New. You are asked to select a Firebox model Select the model that matches your Firebox X (Fireware 8.0) and name the file. Click OK. 4 The untitled.xml Policy Manager for Fireware opens.
Making a Fireware Configuration entry in Fireware Policy Manager by selecting the appropriate interface entry and clicking Configure. If an interface is not necessary, select Disabled as the interface type. WFS 7.3 Network Configuration Fireware Network Configuration Multiple interfaces of a given type are available. This is what gives support for the new Multi WAN feature of Fireware. This dialog box is also where you create secondary networks as well as make any adjustments to the NIC speed.
Basic Configuration Properties Configuring your Network 1 Select an interface from Fireware Policy Manager Network > Configuration. 2 Click Configure. The Interface Settings dialog box opens. 3 38 Type the interfave name and description.
Making a Fireware Configuration 4 5 6 7 8 Select the interface type of truster, external, optional or disabled. Select static, DHCP pr PPPoE. Type the interface IP address. Type the default gateway. Click OK. DHCP Server 1 From Fireware Policy Manager Network > Configuration. 2 Select any trusted or optional interface and click Configure.
Basic Configuration Properties 3 Select the DHCP radio button and type the Host ID. 4 Click OK. Note that with Fireware you must enable the DHCP server for each interface. The WFS DHCP server configuration took a list of address ranges and functions on the appropriate trusted or optional interfaces. With Fireware you specify the address ranges you want the server to hand out for each interface.
Making a Fireware Configuration Intrusion Prevention/Default Packet Handling Many of the same options are available in WFS Policy Manager. Nearly all the options are the same. However, by default, logging of broadcast traffic is turned on by default. To turn this off, add a policy that matches the traffic with logging disabled. In the Logging dialog, the logging for Incoming/Outgoing packets not handled is managed by the Logging dialog from the Default policy.
Intrusion Prevention/Default Packet Handling these (such as via a supernet), make certain to add a Blocked Sites Exceptions entry for the networks or hosts that are safe. . NOTE If you list the IP address of your trusted network as a blocked site you create a Denial of Service (DOS) and effectively disable the trusted network.
Making a Fireware Configuration Network Address Translation (NAT) Dynamic NAT 1-to-1 NAT Setup (Advanced) 1 Select the 1-to-1 NAT tab from Fireware Policy Manager Network > Firewall NAT.
Network Address Translation (NAT) 2 To add an entry click Add. 3 Type the information and click OK. Logging The logging setup dialog has new selections in Fireware Policy Manager. 1 44 From Policy Manger select Setup > Logging.
Making a Fireware Configuration 2 To add a log host click Configure. 3 Type an encryption key and then confirm it. Encryption keys are a minimum of eight (8) characters. 4 5 6 7 To add a Syslog host select Syslog and click Configure. Type the IP address of the Syslog Server. Select a facility for each log type. Click OK. Firewall Authentication The Java applet used for firewall authentication is no longer used. This eliminates the need for the time-outs listed here.
Virtual Private Networking WSM 7.x Firewall Authentication WFS 8.0 Authentication Servers Virtual Private Networking Firebox Managed Clients The DVCP client only communicates with a WSM 8.0 management server. It is not backwards compatible with any previous version. Remote User From Policy Manager select VPN > Remote Users. Mobile User VPN Fireware only supports MUVPN using Extended Authentication Groups.
Making a Fireware Configuration Policies within Fireware are split into three sets, or arenas. The arenas are associated with either Firewall policies, VPN policies or MUVPN policies (as indicated by the three tabs in the main service arena). In order to allow traffic across VPNs or MUVPNs, you must add policies to the associated arena. Gateways From Policy Manager select VPN > Branch Office Gateways. Fireware does not support connection initiation to dynamic IP addressed peers.
Virtual Private Networking Tunnels From Policy Manager select VPN > Branch Office Tunnels. IPSec Routing Policies 1 48 Adjust the Addresses section from Policy Manager VPN > Branch Office Tunnels.
Making a Fireware Configuration 2 Click Add. 3 In the Addresses section of the New Tunnel dialog box click Add. 4 5 Complete the information in the Local-Remote Pair Settings dialog box. Click OK. If the WFS routing policies configuration shows multiple policies using the same tunnel, then you cannot migrate this configuration. In Fireware, each entry in the "Addresses" section results in a set of SAs (a tunnel in WFS terms).
Services Services Fireware handles services in a completely different manner than in WFS. The biggest change is the lack of Incoming and Outgoing tabs in what are now called policy icons. Each policy icon now has a tab for configuring the familiar "From:" and "To:" traffic specification, a tab for viewing and managing the properties of the policy, and an advanced tab.
Making a Fireware Configuration differently than those provided by the global NAT tables, modify the Global NAT Rules on the Advanced tab.
Services 52 WatchGuard Fireware
Working with Proxies CHAPTER 5 Working with Proxies Fireware 8.0 proxy configuration offers new choices and more configuration possibilities than what is available in WSM 7.x. You have the ability to control more of the actions of each proxy while maintaining complete network security. In • • • this section you learn how to migrate your WFS 7.x proxies to Fireware 8.0: FTP HTTP SMTP For information about working with proxies see the Fireware Configuration Guide.
Proxy Migration With the removal of directionality, the default proxy actions are named so that they represent typical situations in which they are used to protect resources. For example, there is an HTTP Client proxy. Client means that this proxy serves as protection for HTTP clients. In other words, it is most likely used on an outgoing policy. Open proxy actions in Fireware Policy Manager Setup > Actions > Proxy Actions.
Working with Proxies The categories are typically separated into areas for general settings, some protocol specific items, and then some common configuration items such as IPS and alarms. Some of the configuration categories display rulesets--embedded policy tables that are designed to selectively apply certain actions based upon particular protocol content. NOTE Watchguard System Manager v8.0 supports on the desination port only.
Configuring the HTTP Proxy WFS 7.x Fireware 8.0 Settings > Remove client connection info HTTP Request > Header Fields, strip or allow the patterns "From: and "Via 56 WFS 7.x Fireware 8.
Working with Proxies WFS 7.x Fireware 8.0 Settings > Deny submissions In HTTP Request > Request Methods, deny or allow the pattern "POST" WFS 7.x Fireware 8.
Configuring the HTTP Proxy 58 WFS 7.x Fireware 8.0 Settings > Deny ActiveX applets In HTTP Response > Body Content Types, deny or allow the "FIXME" rule WFS 7.x Fireware 8.
Working with Proxies WFS 7.x Fireware 8.0 Settings > Log accounting/auditing information In HTTP Request > General Settings, toggle "Send a log message for each HTTP connection request" WFS 7.x Fireware 8.0 Settings > Require Content Type In HTTP Response > Content Types, enable or disable the "FIXME" rule.
Configuring the HTTP Proxy 60 WFS 7.x Fireware 8.0 Settings > Idle timeout In HTTP Request > General Settings, adjust the "Idle Timeout" WFS 7.x Fireware 8.0 Settings > Use Proxy Cache Server Fireware does not currently support this feature. You cannot migrate this parameter.
Working with Proxies WFS 7.x Fireware 8.0 Safe Content > Allow only safe content types HTTP Response > Content types WFS 7.x Fireware 8.0 Safe Content > Deny Unsafe Path Patterns HTTP Request > URL Paths Configuring the Incoming SMTP Proxy This section illustrates how various parameters are configured in the incoming SMTP proxy in WFS 7.x and Fireware 8.0. Use this information as a guide when you create Fireware 8.0 policies that mirror your WFS 7.x policies.
Configuring the Incoming SMTP Proxy WFS 7.x Fireware 8.0 Clone the SMTP-Incoming Proxy Action General Some of this information is available in General > General Settings. The "Address Validation (RFC-822 Compliance)" is now managed in General > Greeting Rules by the "Non-allowed characters" rule.
Working with Proxies Address Patterns WFS 7.x Fireware 8.0 If there is a mixture of allowed and denied entries, you must change the ruleset view and apply the different actions on a per-rule basis.
Configuring the Incoming SMTP Proxy Headers WFS 7.x Fireware 8.0 Logging WFS 7.x 64 Fireware 8.
Working with Proxies WFS 7.x Fireware 8.0 “Log accounting/auditing information" is the "Send a log message for each connection request" in General > General Settings. WFS 7.x Migration Guide Fireware 8.
Outoing SMTP Outoing SMTP This section illustrates how various parameters are configured in the outgoing SMTP proxy in WFS 7.x and Fireware 8.0. Use this information as a guide when you create Fireware 8.0 policies that mirror your WFS 7.x policies. Clone the SMTP Outgoing proxy action General WFS 7.x Fireware 8.0 “Allow these Header Patterns" is available in Headers. “Idle" value is available in General > General Settings.
Working with Proxies Masquerading WFS 7.x Fireware 8.0 Build Any patterns in the Address > Mail From ruleset under the "advanced view" (click "Change View"). When you add a rule here, you have the option of specifying a "Replace" action. The "Domain Name" listed in WFS is the value with which to replace it. WFS 7.x Migration Guide Fireware 8.
Outoing SMTP "Masquerade Message IDs" is not fully available in Fireware. You can rewrite the user ID portion of the Message ID by enabling the "Message ID" checkbox in General > General Settings > Hide E-Mail Server. “Masquerade MIME boundary strings" is not available in Fireware. You cannot migrate this setting. Logging WFS 7.x Fireware 8.0 "Log removal of unknown headers" is the "Log" checkbox in the "None matched" action from "Actions to take" within Headers.
Working with Proxies WFS 7.x Fireware 8.0 "Log domain masquerading" is available via the "Log" checkbox in the "Rule actions" section of Address > Mail From for any rule that is added. WFS 7.x Fireware 8.0 "Log accounting/auditing information" is the "Send a log message for each connection request" in General > General Settings.
FTP Proxy FTP Proxy This section illustrates how various parameters are configured in the FTP proxy in WFS 7.x and Fireware 8.0. Use this information as a guide when you create Fireware 8.0 policies that mirror your WFS 7.x policies. Clone the FTP-Client or FTP-Server proxy action. WFS 7.x Fireware 8.
Working with Proxies WFS 7.x Fireware 8.0 Make connections ready only Make connections ready only WFS 7.x Fireware 8.0 Deny incoming SITE command Restrict the SITE command from the allowed list in the "Commands" ruleset.
FTP Proxy WFS 7.x Fireware 8.0 Force FTP session timeout is not available in Fireware. You cannot migrarte this option. “Log incoming accounting/auditing information" Enable the "Send a log message for each connection request" checkbox. WFS 7.x 72 Fireware 8.
Working with Proxies WFS 7.x Migration Guide Fireware 8.
FTP Proxy 74 WatchGuard Fireware
